Headline
RHSA-2023:5236: Red Hat Security Advisory: libwebp: critical security update
An update for libwebp is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which give a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-4863: A heap-based buffer flaw was found in the way libwebp, a library used to process “WebP” image format data, processes certain specially formatted WebP images. An attacker could use this flaw to crash or execute remotely arbitrary code in an application such as a web browser compiled with this library.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- OpenShift Dev Spaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Quarkus
Integration and Automation
All Products
Issued:
2023-09-19
Updated:
2023-09-19
RHSA-2023:5236 - Security Advisory
- Overview
- Updated Packages
Synopsis
Important: libwebp: critical security update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for libwebp is now available for Red Hat Enterprise Linux 8.1 Update
Services for SAP Solutions.
Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which give
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
Description
The libwebp packages provide a library and tools for the WebP graphics format. WebP is an image format with a lossy compression of digital photographic images. WebP consists of a codec based on the VP8 format, and a container based on the Resource Interchange File Format (RIFF). Webmasters, web developers and browser developers can use WebP to compress, archive, and distribute digital images more efficiently.
Security Fix(es):
- libwebp: Heap buffer overflow in WebP Codec (CVE-2023-4863)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
Affected Products
- Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.1 ppc64le
- Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.1 x86_64
Fixes
- BZ - 2238431 - CVE-2023-4863 libwebp: Heap buffer overflow in WebP Codec
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.1
SRPM
libwebp-1.0.0-5.2.el8_1.1.src.rpm
SHA-256: e1e5851c9d6a0117168a7fcdb2dab8c8c658a15ad6a90fb8c0037e120e9c1f62
ppc64le
libwebp-1.0.0-5.2.el8_1.1.ppc64le.rpm
SHA-256: 74596bfdb6c1b16d9be25aea0b024f2f7479035918d6dce6d673bdc0f63512af
libwebp-debuginfo-1.0.0-5.2.el8_1.1.ppc64le.rpm
SHA-256: fc54e5aaa2b7bf981a54cc8d5cc07ef80c053354bfb22b01118f5076eae161a3
libwebp-debugsource-1.0.0-5.2.el8_1.1.ppc64le.rpm
SHA-256: 0c569dc1822fb3cdcc4664170bd991e9563fb43a3fe46ad231c4189402a25aee
libwebp-devel-1.0.0-5.2.el8_1.1.ppc64le.rpm
SHA-256: 34c1a51060b97fcaae824cab9590b46bed41abc9833db2f43cd059f19ce30e58
libwebp-java-debuginfo-1.0.0-5.2.el8_1.1.ppc64le.rpm
SHA-256: 0e2d5122a9238e9fce92198d718a820738bd2dd74f03cfa5c9085bad9f98afc6
libwebp-tools-debuginfo-1.0.0-5.2.el8_1.1.ppc64le.rpm
SHA-256: cc3185849fb3acf447a753b281f4ffa43a333a01613604b95cb600425be68715
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.1
SRPM
libwebp-1.0.0-5.2.el8_1.1.src.rpm
SHA-256: e1e5851c9d6a0117168a7fcdb2dab8c8c658a15ad6a90fb8c0037e120e9c1f62
x86_64
libwebp-1.0.0-5.2.el8_1.1.i686.rpm
SHA-256: 4fc0fb0cd385e5e9c54568e3a8c6e3d3c69f8c1c8526c784b6884e9550030433
libwebp-1.0.0-5.2.el8_1.1.x86_64.rpm
SHA-256: 403d57d0c0c67979a5999e08122406503aa16a17f6ac1b9e03622afe4d6a3d2b
libwebp-debuginfo-1.0.0-5.2.el8_1.1.i686.rpm
SHA-256: 8d76335d048655f285b3d5e9c62eea7861c7ae94ab3cfc71071a12ae1ce7cfa7
libwebp-debuginfo-1.0.0-5.2.el8_1.1.x86_64.rpm
SHA-256: fa339138b6d264f6a4de747f3e4938d629544818d01b50be071c2058c56fd7a0
libwebp-debugsource-1.0.0-5.2.el8_1.1.i686.rpm
SHA-256: d9e3ac7661e0bdc2c5cccba8c3a1323ef345a6f09916c18e757b77ffdb8a2d9b
libwebp-debugsource-1.0.0-5.2.el8_1.1.x86_64.rpm
SHA-256: 6b2379296c3f4ba261a3775caff15f8b64cc89ed3e5f0faef847cc8011683e0b
libwebp-devel-1.0.0-5.2.el8_1.1.i686.rpm
SHA-256: 261a36db37f550d59d886d08652204e1d725f879fc77be4fcf150235ddca3b6f
libwebp-devel-1.0.0-5.2.el8_1.1.x86_64.rpm
SHA-256: f38ebfda9ecd4b920d549136da236f2c714bfa1e2aed03fbeb169b14a926dab4
libwebp-java-debuginfo-1.0.0-5.2.el8_1.1.i686.rpm
SHA-256: 73bde59848d14159eb6ce9596c3eb052e6154ec9892207db48a63f06341cc996
libwebp-java-debuginfo-1.0.0-5.2.el8_1.1.x86_64.rpm
SHA-256: 0bbc681a5322ff6c55b490bc86441ca49c0f526b74153906e5688308d819b103
libwebp-tools-debuginfo-1.0.0-5.2.el8_1.1.i686.rpm
SHA-256: cf17460b0ab0eaf154675fbe44daf5ead27b1e26c3c81ab010bf57d817da5f13
libwebp-tools-debuginfo-1.0.0-5.2.el8_1.1.x86_64.rpm
SHA-256: cc6851920d54a72ec5acc80c7c74c7040094671e8000f7b5c61f39cea7e3736f
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Plus: Major security patches from Microsoft, Mozilla, Atlassian, Cisco, and more.
Clone vulnerability in the huks ta module.Successful exploitation of this vulnerability may affect service confidentiality.
Microsoft is aware and has released patches associated with the two Open-Source Software security vulnerabilities, CVE-2023-4863 and CVE-2023-5217. Through our investigation, we found that these affect a subset of our products and as of today, we have addressed them in our products as outlined below: CVE-2023-4863 Microsoft Edge Microsoft Teams for Desktop Skype for Desktop Webp Image Extensions (Released on Windows and updates through Microsoft Store) CVE-2023-5217
Two notable vulnerabilities in Google Chrome should be patched asap, and an allegedly new ransomware-as-a-service group.
Google has assigned a new CVE identifier for a critical security flaw in the libwebp image library for rendering images in the WebP format that has come under active exploitation in the wild. Tracked as CVE-2023-5129, the issue has been given the maximum severity score of 10.0 on the CVSS rating system. It has been described as an issue rooted in the Huffman coding algorithm - With a specially
An update for libwebp is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-4863: A heap-based buffer flaw was found in the way libwebp, a library used to process "WebP" image format data, processes certain specially formatted WebP images. An attacker could use this flaw to crash or execute remotely arbitrary code in an application such as a web browser compiled with this library.
Red Hat Security Advisory 2023-5224-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.15.1. Issues addressed include a buffer overflow vulnerability.
Red Hat Security Advisory 2023-5214-01 - The libwebp packages provide a library and tools for the WebP graphics format. WebP is an image format with a lossy compression of digital photographic images. WebP consists of a codec based on the VP8 format, and a container based on the Resource Interchange File Format. Webmasters, web developers and browser developers can use WebP to compress, archive, and distribute digital images more efficiently. Issues addressed include a buffer overflow vulnerability.
An update for firefox is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-4863: A heap-based buffer flaw was found in the way libwebp, a library used to process "WebP" image format data, processes certain specially formatted WebP images. An attacker could use this flaw to crash or execute remotely arbitrary code in an application such as a web browser compiled with this library.
Debian Linux Security Advisory 5498-1 - A buffer overflow in parsing WebP images may result in the execution of arbitrary code.
An update for thunderbird is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-4863: A heap-based buffer flaw was found in the way libwebp, a library used to process "WebP" image format data, processes certain specially formatted WebP images. An attacker...
An update for firefox is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-4863: A heap-based buffer flaw was found in the way libwebp, a library used to process "WebP" image format data, processes certain specially formatted WebP images. An attacker could use this flaw to crash or execute remotely arbitrary code in an application such as a web browser compiled with this library.
Debian Linux Security Advisory 5497-1 - A buffer overflow in parsing WebP images may result in the execution of arbitrary code.
Debian Linux Security Advisory 5496-1 - A buffer overflow in parsing WebP images may result in the execution of arbitrary code.
Microsoft has released software fixes to remediate 59 bugs spanning its product portfolio, including two zero-day flaws that have been actively exploited by malicious cyber actors. Of the 59 vulnerabilities, five are rated Critical, 55 are rated Important, and one is rated Moderate in severity. The update is in addition to 35 flaws patched in the Chromium-based Edge browser since last month's
Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)